Web Programming, Linux System Administation, and Entrepreneurship in Athens Georgia

WoW account hacking, and a potential solution?

A website just posted a story about how there is “no end in sight” to the hacking of World of Warcraft accounts. The story tells about hackers who install keylogging software on victims’ computers, then use it to relay the victims’ WoW username and password back to them. Then they simply log in as that user, transfer all of the victim’s valuable in-game assets to accounts that they control, and sell off everything for cash.

An idea I had on how to solve this, as well as lots of other online identity theft problems, is to allow users to opt-in to a login restriction based on IP Address. Blizzard could ask you if you want to restrict logins to your current IP (or, more likely, the first 22 bits or so of your IP address). Any attempt to login with an IP outside that range would require some kind of external verification, like an automated phone call where you verify the last four digits of your credit card number.

It would take a little work on their side, but surely Blizzard ought to be able to come up with something like this. I would think that the development time up front would save them lots money on customer service and canceled subscriptions down the line when accounts are compromised.

The solution does have a couple potential problems. Mainly, if a hacker is able to install keylogging software on a victims’ computer, they might also be able to install a proxy server of some sort to attempt to use the victims’ IP address anyway. There is some evidence that such Proxy programs already exist and are used for account leveling. If this type of proxy software becomes widely used, identifying hackers by IP becomes nearly impossible.

Its important to note that this idea does not apply just to WoW. Other companies like banks could use a similar security measure to protect against hackers logging in as real users. The fact that nobody has done this must mean that I’m missing something. Feel free to comment and let me know how this wouldn’t work.